The cybersecurity and space sectors not only are intertwined but also have much in common. Both sectors are emerging and represent massive economic potential. Many people underestimate the importance of both sectors to their daily lives. Governments around the world are prioritizing these sectors for many reasons, including for security and sovereignty.
There is one big difference, though: announcements about the future of space, including things like Lunar Gateway and future missions to the Moon (NASA 2022), inspire humanity to connect with each other and to reach for the stars, while news about cyberthreats can push us to want to disconnect from the “grid” and perhaps even from each other.
Indeed, state actors are increasingly relying on non-kinetic means (cyber operations, information operations, economic actions and so forth) to pursue their political objectives. This competition below the threshold of armed conflict is increasingly common, impacting infrastructure and computer networks that governments, the private sector, civil society and ordinary Canadians rely on. Non-state actors are also using cyber operations, either as part of a criminal enterprise for their own ends or as deniable cut-outs or proxies for states.
Meanwhile, many other Group of Seven and North Atlantic Treaty Organization countries, such as France, the United Kingdom, the United States and others, are expanding their investment and developing forward-thinking policy to better harness the massive potential of space in the fields of telecommunications, exploration and research, innovation and national security, all of which grows the total size of the global space economy (Satnews 2022). Significant growth in space systems and capabilities for civil and military use increases the dependency on space systems for national and economic security.
The growth of the space economy, the commercialization of space, the increased accessibility of space, the importance of space to other societal functions and the increased dependency on space systems create opportunities for new cyber vulnerabilities in space systems. A wide range of cyberattacks originating from the other side of the world can impact critical infrastructure and vital computer networks (banking, government services and so forth) at home. The interconnected nature of space systems means the threat is global in scope.
Preventing and mitigating cyber risks to space systems face numerous challenges, many of which are outlined in this essay series. These include technical challenges associated with timely detection and accurate attribution of malicious cyber activities, defence policies that emphasize retaliation over pre-emption, and governance challenges associated with the lack of a clear and common framework of norms, rules and responses, financial reporting and international investments.
The prevention and mitigation of cyber risks to space systems requires a shift of perspective. This begins with greater recognition of the human role in both cyber vulnerability and defence. It also requires acceptance of the “forever” nature of the challenge, which involves constant monitoring and evolution of defence methods, approaches and tools. Finally, it needs collective action across governments, the private sector and civil society, both domestically and globally. Such action requires government leadership, including on investment, setting strategic priorities, raising awareness, defining standards and international engagement. Here in Canada, meeting these requirements necessitates an ambitious vision for space.
Some estimates indicate an anticipated four-fold growth rate in new satellites launched in the next decade compared to the last.
Space-Cyber Trends
There is growing recognition of the potential space presents for addressing economic, societal and planetary challenges. This recognition is creating excitement about the potential growth of the new space economy. To compete in this new market, governments such as China, France, India, Russia, the United Kingdom and the United States are investing heavily in domestic space industries and space programs. The potential value is too great not to invest.
The range of space capabilities that present investment opportunity is broad. For example, telecommunications capabilities are delivering connectivity and global network resilience in new ways, such as through the use of constellations of satellites in low-Earth orbit to bring high-speed broadband connectivity to remote, rural and polar areas currently underserved and underconnected. The same technology is being used to connect Ukrainians in a wartime setting where destruction of telecommunications infrastructure can happen at any time (Siegel 2022). Remote sensing technologies are increasingly important as the impacts of climate change accelerate. Satellites provide the ability to monitor changes in the polar ice pack (European Space Agency 2022), assess the risk of wildfire and floods (Arp 2022), track deforestation and desertification (Csillik et al. 2022), and provide key data for resilient infrastructure projects.
These innovative uses of space capabilities depend on data security. Consider remote sensing: cybersecurity is required throughout this process to ensure the data collected can be viewed and interpreted to inform decision making. Ensuring data security is even more important for space exploration. The distances involved, risk and complexity in space exploration for programs such as missions to the Moon and Mars and developing the Lunar Gateway are much greater than for satellites orbiting Earth. The data feeds, manual adjustments and real-time monitoring for space exploration rely on secure data transmissions to and from Earth over hundreds of thousands or even millions of kilometres to achieve the mission.
Cyber vulnerabilities are often caused — intentionally or not — by human actions.
— CIGI (@CIGIonline) February 3, 2023
Learn more by reading @BrianGallantNB and Jordan Miller's essay: https://t.co/61lwlYSywX pic.twitter.com/JPhV7YNGk8
Cyber vulnerabilities are also concerning for military space systems for communications and sensing that today provide the sinew that connects military commanders and units in the air, at sea and on land. The effect on military communications or situational awareness of disabling space platforms could be significant, especially for global operations where space systems are required to maintain connectivity. Gaining unauthorized access to space platforms used by the military could also give an adversary an intelligence pipeline, without ever interfering with the platform’s operations.
Some estimates indicate an anticipated four-fold growth rate in new satellites launched in the next decade compared to the last (Euroconsult 2021). The growth in the number of satellites in space that provide critical data and connectivity — military, civilian and commercial — means a significant expansion in cyberattack surfaces, and therefore an increase in vulnerability.
The first step in addressing this challenge is a perspective shift. No system is fully cybersecure, space or otherwise. This means accepting that risk exists, that threats are always evolving, and that cybersecurity is a “forever challenge” that requires constant monitoring and evolution of defence methods, approaches and tools. This begins with recognizing the human link in cyber vulnerability and defence.
The Human Link
A key element to improve cyber defence is greater consideration of the human dimension of the cyber threat. The cyber domain is human-developed, and the human in the system remains a major threat to cybersecurity. IBM defines four kinds of human insider threats: the pawn, who is unaware and manipulated; the goof, who is an arrogant user who believes they are exempt from security policies; the collaborator, who is actively working with outside entities such as competitors or nation-state actors; and the lone wolf, who often has elevated systems privileges and is motivated by financial gain.1
Any one of these types can create vulnerabilities to cyberthreats, either through neglect or through active malice. Collaborators and lone wolves can cause lasting damage inside an organization by betraying the trust of their colleagues and leaders for their own gain; however, up to 90 percent of an insider threat is attributable to goofs, who bypass security because they underappreciate the threat their actions pose. The malicious actor who is actively trying to undermine cybersecurity should not be ignored, but often it is the human link in the cyber chain that becomes the vulnerability. This is something much simpler than targeted cyberattacks; this is about individuals failing to take simple actions on their own, or malicious actors who use human fallibility for their own gain.
The human limitation is a significant risk for space and defence because there are so many diffuse actors involved in the space and defence ecosystem. Governments, militaries, contractors and consultants, and the companies that manufacture systems and deliver solutions, are part of the broader ecosystem for space capabilities. There is no central authority monitoring all of these activities. Governments and militaries have protocols and processes for cybersecurity, and large companies typically have cybersecurity measures to limit their vulnerability. The “weak link” likely exists somewhere in that network, and it is probably the human.
Technical responses to insider threats such as draconian security protocols that limit a user’s ability to access information and nodes in a network may have unintended consequences, including increased risk caused by routinization and “security fatigue,” capacity limitations and opportunity cost to most workflows. While this approach may be appropriate in highly secured and classified settings, its value elsewhere is limited. Instead, addressing this challenge will require collective effort, starting with investment in people as the lifeblood of cyber defence. There is also the potential for using a risk-based approach that seeks to implement user restrictions at the appropriate level based on the security and sensitivity of the data that is being protected. This approach limits the “fatigue” issue by treating information according to the impact its disclosure would have on the organization, and therefore the risk assessment.
Leading Collective Action
Cybersecurity affects everyone: government, the military, the private sector, civil society and individual Canadians. This means that government leadership is required to inspire and facilitate collective action. The role of national governments is one of investment, raising awareness, defining standards for engagement with the state, establishing strategic priorities and international representation.
Humans are the lifeblood of cyber defence. Government leadership is needed to invest in this critical resource. To sustain the cyber defence field, a robust ecosystem is required to get the most out of the innovative and experienced professionals who drive cyber defence today and to train the future generation of cyber operators and specialists. Science, technology, engineering and math (STEM) education, programs and incubators are vital to developing youth interest and skills for the future of cyber defence. Partnerships with post-secondary institutions are important for delivering formal education, and co-ops, internships and student placements are important to giving students real-life experience in cyber defence. Canada has world-leading post-secondary institutions, especially in STEM. Expanding and strengthening formal education programs and work experience programs are both essential to sustaining the momentum on developing human talent for space and cyber defence.
Leadership is also needed to recognize space infrastructure as critical and to prioritize its protection. While the US government has taken recent steps in this direction, such action is lacking in most countries.
Because space infrastructure is both publicly and privately owned, protecting it requires coordination. This includes efforts to develop awareness about potential technical vulnerabilities and social engineering attacks and to communicate specific threat warnings through official channels. Government must lead in raising awareness about potential cyberattacks that affect space systems. This kind of leadership was demonstrated during the Canadian federal election in 2021, when the Communications Security Establishment took action to defend the Leaders’ Debates Commission against disruption by foreign agencies and removed fake websites that included false government websites with malicious links designed to access the user’s personal information (Woolf 2022).
Governments also have an important role to play in setting standards and best practices. The United States has developed the Cybersecurity Maturity Model Certification (CMMC) to establish standards for different-sized organizations that interact with the federal government. The idea is to tailor the standards for organizations based on their level of risk. Compliance audits and verification are part of the CMMC protocols for organizations above a certain size, establishing an enforceable standard. Like any standard operating practice, it needs a critical mass of people to make it the norm. Government has the authority to set the standard for interacting with government and the size and reach to recommend best practices. Something similar to the CMMC could be useful in setting standards or recommended best practices for cyber defence for space (where existing standards are not sufficient).
Leadership is also needed internationally to continue to develop governance frameworks for outer space. To do this, national governments must collaborate with the private sector and civil society on priorities for new rules and implementation.
But cyber vulnerabilities in space are not a problem only for government leadership. The private sector also has an important role to play in collective action for cyber defence. As the manufacturer and developer of space systems and often the provider of space services, the private sector has a detailed understanding of the vulnerabilities in its own solutions. Companies often remind users of services and solutions that security-based software updates are needed to address a known threat. This role is important for general civilian use applications and tools. For national security-related space systems such as satellites, radars and ground stations supporting situational awareness and telecommunications, identifying vulnerabilities and patching them quickly is essential. Companies should be sharing information with government — confidentially, if required — on any potential vulnerability or threat they detect in their products or networks.
The interconnectedness of the private and public sectors for space technology means that vulnerabilities could have far-reaching impacts if exploited. In addition to designing and delivering most space systems, the private sector is also often involved in direct operational support, data management and providing in-service support and upgrades to software and components. The prominent role of the private sector in managing large parts of the space enterprise in support of government customers means there is shared cybersecurity risk. Shared risk means there is shared responsibility for the security of systems, the data they transmit and store, and at the level of the end-user for data and space-based communications systems. A person or entity that is determined to attack space infrastructure has many potential in-roads based on the interconnectedness of cybersecurity for space systems and networks. This means timely information sharing on risks and potential incidents to keep government and private sector operators on the same page for threats, with immediate information sharing on real-time incidents.
Next Steps for Canada
To address the highly complex challenge of cybersecurity for space systems, an ambitious agenda is required. Taking a long-term view of where space capabilities are going is essential to anticipating where additional systems-level cyber vulnerabilities could exist. The space sector is going to continue growing, which means that challenges should be anticipated where possible, along with ideas for risk mitigation. As one of the main innovators for space technology, the private sector has an important role to play in designing and developing capabilities with cybersecurity in mind. For that reason, collaboration with government on these issues is important.
Innovation is fundamentally a human quality. A robust, ready and eager STEM human capital base is vital to developing tomorrow’s innovation and sustaining innovation into the future. To make that a reality, the STEM pathways — from high school through to post-secondary and into the workplace — should be strengthened. This effort must include encouraging underrepresented groups in STEM to pursue STEM-based opportunities. A robust human capital base enjoying diverse perspectives with STEM education and experience will spur creativity, help sustain innovation and solidify Canada’s place as a space leader.
To assist in realizing Canada’s vision for space, there have been calls for the Government of Canada to establish a National Space Council of Canada (NSCC), chaired by the prime minister and composed of senior ministers. Much like similar bodies in the United Kingdom and the United States, the NSCC would harness a whole-of-government approach to enhance collaboration within government to advance space-related policies, strategies and investments in a coordinated and timely fashion.
Collaboration between government and the private sector is also essential for mutual understanding on what is required and what is possible. A clear, long-term vision will enable the alignment of supporting activities — investment in research and development, the pathway for hiring STEM graduates, developing partnerships for commercializing nascent capabilities and more — to make efficient and effective progress toward realizing the vision.
Given the space and cyber sectors are growing in importance and are indeed intertwined, government has a lot to tackle all at once. Consequently, collaboration internally within government and externally with key stakeholders such as the private sector is pivotal and will, in large part, determine how effectively Canada seizes the opportunities and tackles the challenges created by these two sectors.
